Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In August 2022, three new versions of Microsoft Defender for Identity were released:
- Version 2.186, released on August 10, 2022
- Version 2.187, released on August 18, 2022
- Version 2.188, released on August 28, 2022
These releases introduced the following functionality:
Health Alerts with FQDNs instead of NetBIOS names
Since version 2.187, health alerts will now show the Microsoft Defender for Identity sensor's fully qualified domain name (FQDN) instead of the NetBIOS name.
New Health Alerts
Since version 2.187, new health alerts are available for capturing component type and configuration. A full overview of all Microsoft Defender for Identity sensor health alerts is available here.
Logic Behind Suspected DCSync Attack detections
Since version 2.187, Microsoft changed some of the logic behind how the Suspected DCSync attack (replication of directory services) (external ID 2006) alert is triggered. This detector now covers cases where the source IP address seen by the sensor appears to be a NAT device.
IMPROVEMENTS AND BUG FIXES
All August 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.